b"             Audit Report\n\n\n\n\nOIG-10-037\nAUDIT REPORT\nINFORMATION TECHNOLOGY: Improvements Needed in CDFI\nFund\xe2\x80\x99s Access Controls and Configuration Management\n\nFebruary 25, 2010\n\n\n\nOffice of\nInspector General\nDepartment of the Treasury\n\x0c    Contents\n\n\nAudit Report.................................................................................................. 2\n\n    Results in Brief ............................................................................................. 2\n\n    Background ................................................................................................. 3\n\n    Findings and Recommendations ..................................................................... 4\n\n        Weak Passwords Were Used in CDFI Fund Applications and Systems ............ 4\n        Recommendations.................................................................................... 5\n\n        CDFI Fund Systems Were Configured With Insecure Default Settings ............. 6\n        Recommendations.................................................................................... 8\n\n        A Critical Patch Was Not Applied for One CDFI Fund System ......................... 9\n        Recommendation .................................................................................... 10\n\nAppendices\n\n    Appendix     1:      Objectives, Scope, and Methodology ......................................              12\n    Appendix     2:      Management Response .........................................................          13\n    Appendix     3:      Major Contributors to This Report ...........................................          22\n    Appendix     4:      Report Distribution ................................................................   23\n\n\nAbbreviations\n\n    CDFI Fund            Community Development Financial Institutions Fund\n    FTP                  File Transfer Protocol\n    NIST                 National Institute of Standards and Technology\n    OIG                  Treasury Office of Inspector General\n    SNMP                 Simple Network Management Protocol\n\n\n\n\n                         Improvements Needed in CDFI Fund\xe2\x80\x99s Access Controls and\n                         Configuration Management (OIG-10-037)                                               Page 1\n\x0c                                                                                  Audit\nOIG\nThe Department of the Treasury\n                                                                                  Report\nOffice of Inspector General\n\n\n\n\n                        February 25, 2010\n\n                        Donna Gambrell\n                        Director\n                        Community Development Financial Institutions Fund\n\n                        The objective of this audit was to determine if the Community\n                        Development Financial Institutions (CDFI) Fund had sufficient\n                        protections in place to prevent intrusions into its network and\n                        systems.\n\n                        To accomplish our objective, we performed a series of vulnerability\n                        assessments and penetration tests of the CDFI Fund\xe2\x80\x99s network and\n                        systems. Additionally, we performed a series of social engineering\n                        tests to determine if users of the CDFI Fund\xe2\x80\x99s network and\n                        systems were aware of cybersecurity threats and users\xe2\x80\x99 role in\n                        protecting agency information technology resources.\n\n                        We performed our fieldwork at CDFI Fund facilities in Washington,\n                        DC, from February through April 2009. The audit was performed in\n                        accordance with generally accepted government auditing\n                        standards.1 Our objective, scope, and methodology are described in\n                        appendix 1.\n\n\nResults in Brief\n                        We determined that, for the most part, the CDFI Fund has\n                        sufficient protection in place for its network and systems.\n                        Specifically, most CDFI Fund systems were up to date with the\n                        latest patches. Also, CDFI Fund staff had implemented a suite of\n                        monitoring tools for its network that reported current patch levels,\n\n\n1\n    Government Accountability Office, Government Auditing Standards, GAO-07-731G (July 2007).\n\n                        Improvements Needed in CDFI Fund\xe2\x80\x99s Access Controls and\n                        Configuration Management (OIG-10-037)                                   Page 2\n\x0c             monitored for suspicious activities, and provided notification to\n             administrators of potentially suspicious activities. As result, we\n             were unsuccessful in establishing remote connection into the CDFI\n             Fund\xe2\x80\x99s network. However, we noted that improvements are needed\n             in key access controls and in configuration management to prevent\n             unauthorized users from gaining access and compromising data on\n             the CDFI Fund\xe2\x80\x99s public Web site and within its network.\n\n             We found the following weaknesses:\n\n             1. Weak passwords were used in CDFI Fund applications and\n                systems.\n             2. CDFI Fund systems were configured with insecure default\n                settings.\n             3. A critical patch was not applied for one CDFI Fund system.\n\n             We are making seven recommendations to the CDFI Fund Director\n             to address the findings noted above.\n\n             In a written response, the CDFI Fund Director provided plans for\n             corrective actions that are responsive to the intent of our\n             recommendations (see appendix 2).\n\nBackground\n             The CDFI Fund's mission is to expand the capacity of financial\n             institutions to provide credit, capital, and financial services to\n             underserved populations and economically distressed communities\n             in the United States. The CDFI Fund was created to promote\n             economic revitalization and community development through\n             investment in and assistance to community development financial\n             institutions. The CDFI Fund was established by the Riegle\n             Community Development and Regulatory Improvement Act of\n             1994.\n\n             Since its creation, the CDFI Fund has awarded $1.13 billion to\n             community development organizations and financial institutions (as\n             of September 30, 2009). The CDFI Fund was further expanded in\n             fiscal year 2009 with the enactment of legislation that created the\n             Capital Magnet Fund, which will be implemented in fiscal year\n             2010, subject to funding availability. In addition, the CDFI Fund\n\n             Improvements Needed in CDFI Fund\xe2\x80\x99s Access Controls and\n             Configuration Management (OIG-10-037)                           Page 3\n\x0c            has allocated $26 billion in tax credit authority to Community\n            Development Entities through the New Markets Tax Credit\n            program.\n\n            To help ensure the important mission of the CDFI is fulfilled, strong\n            security controls are necessary to protect the confidentiality,\n            integrity, and availability of the Fund\xe2\x80\x99s data and systems. Weak\n            controls provide unauthorized users an opportunity to launch\n            various programs that could allow them to view sensitive\n            information, change or delete data, discover user names and\n            passwords, initiate denial-of-service attacks, attack other entities,\n            and impair the reputation and mission of the CDFI Fund.\n\nFindings and Recommendations\n\nFinding 1   Weak Passwords Were Used in CDFI Fund Applications\n            and Systems\n\n            We determined that weak passwords were used in CDFI Fund\n            applications and systems and that weak default passwords were\n            used on the myCDFI Web site. In addition, 21 user accounts had\n            passwords that were set to never expire. Two of these were end-\n            user accounts for information technology personnel and one was\n            an administrative account. We also found that databases had login\n            accounts containing either blank passwords, passwords identical to\n            the login name, or easily guessed passwords. One of these login\n            accounts had full administrative rights on the databases and access\n            to both personally identifiable information and potentially sensitive\n            information. While the CDFI Fund password policy specifically\n            addresses user accounts, it does not establish requirements for\n            passwords used by applications and services.\n\n            We also found six printers that we were able to log onto using File\n            Transfer Protocol (FTP) with blank login user IDs and passwords. A\n            user would be able to use this access to view and download files\n            sent to the printer and utilize the FTP service to attack other\n            systems on the network. It should be noted that the CDFI Fund\n            quickly corrected this problem after we discovered it. It should also\n            be noted that we subsequently verified these accounts were in fact\n            disabled. Therefore, we are not making a recommendation to\n            address this particular issue.\n\n            Improvements Needed in CDFI Fund\xe2\x80\x99s Access Controls and\n            Configuration Management (OIG-10-037)                            Page 4\n\x0cNational Institute of Standards and Technology (NIST) Special\nPublication (SP) 800-53 Revision 2, Recommended Security\nControls for Federal Information Systems, states that an\ninformation system should enforce assigned authorizations for\ncontrolling access to the system in accordance with applicable\npolicy and that an organization should enforce password minimum\nand maximum lifetime restrictions. In addition, as noted above,\nCDFI Fund password policy requires use of strong passwords for\nuser accounts.\n\nThe Web site and database password weaknesses resulted from\npoor implementation of security procedures during the development\nof custom CDFI Fund applications. We were unable to determine\nthe specific cause of the nonexpiring passwords but nonexpiring\npasswords typically result from administrators\xe2\x80\x99 efforts to minimize\nthe need to synchronize passwords for network devices and shared\nadministrative accounts. The six printers that we were able to log\nonto using FTP with blank login user IDs and passwords were\nprinters on which the CDFI Fund network administrator was\nunaware that FTP service was active.\n\nPoor administrative practices, such as failure to change default\npassword or allowing the use of easily guessed passwords or blank\npasswords, often result in successful attacks on systems because\nthey make it easier for attackers to gain unauthorized access. Once\nattackers gain access, they can both obtain sensitive information\nfrom a system and gather information that makes further attacks\neasier. Attackers who have gained access to a system are in a\nmuch better position to launch additional attacks that reach further\ninto a system and to install backdoors that can bypass other\nsecurity protections.\n\nRecommendations\n\nWe recommend that the Director of the CDFI Fund do the\nfollowing:\n\n1. Update the CDFI Fund password policy to require strong\n   passwords and password expirations for CDFI Fund applications\n\n\n\nImprovements Needed in CDFI Fund\xe2\x80\x99s Access Controls and\nConfiguration Management (OIG-10-037)                          Page 5\n\x0c               and databases and enforce this policy for all CDFI Fund\n               applications and databases.\n            2. Generate unique passwords for new user accounts and require\n               that new users change their assigned default password during\n               their initial login to the myCDFI application.\n\n            Management Response\n\n            The CDFI Fund has updated its password policy to require strong\n            passwords and password expirations for all applications and\n            databases. The CDFI Fund is currently enforcing this policy.\n\n            The CDFI Fund has generated unique, strong passwords for all new\n            and current user accounts. The CDFI Fund requires that new users\n            change their assigned default password during their initial login to\n            the myCDFI application. This mitigation action was completed\n            November 15, 2009.\n\n            OIG Comment\n\n            Management\xe2\x80\x99s reported corrective actions are responsive to the\n            intent of our recommendations.\n\nFinding 2   CDFI Fund Systems Were Configured With Insecure\n            Default Settings\n\n            We determined that some CDFI Fund systems were running\n            software with insecure default configuration settings. Based on our\n            network scans, we found the following:\n\n               \xe2\x80\xa2   Ten systems where users could obtain the Windows\n                   password policy without authentication.\n\n                   The Windows password policy contains sensitive information\n                   about minimum password length, password lockout\n                   threshold, password lockout duration, and so on.\n\n               \xe2\x80\xa2   As discussed in Finding 1 above, six printers running the FTP\n                   server service were found that did not have passwords.\n\n                   The FTP service is installed by default on many printer\n\n            Improvements Needed in CDFI Fund\xe2\x80\x99s Access Controls and\n            Configuration Management (OIG-10-037)                            Page 6\n\x0c       controllers and often is configured in an unsecure manner.\n       The CDFI Fund network administrator indicated that they\n       were unaware the service was active on these printers and\n       that it was unnecessary. The administrator subsequently\n       disabled the service on each printer.\n\n   \xe2\x80\xa2   Ten systems with default or guessable Simple Network\n       Management Protocol (SNMP) read-only community names.\n\n       SNMP is a commonly used network service that provides\n       network administrators with information about devices\n       connected to the network. Ten SNMP servers were\n       configured with simple default community names, which\n       should be changed by the system administrators prior to\n       deployment. The community name functions as the\n       password for access to the device. Anyone who knows the\n       read-only community name and has a network connection to\n       the device can retrieve sensitive technical information about\n       the device configuration.\n\n   \xe2\x80\xa2   Four systems with default or guessable SNMP read/write\n       community names.\n\n       Anyone who knows the read/write community name and has\n       a network connection to the device can retrieve information\n       about the device configuration, change the configuration, or\n       disable the device.\n\n   \xe2\x80\xa2   One system with two vulnerabilities related to the default\n       sample programs installed on the Apache Tomcat server.\n\n       A Tomcat server is used to host Web-based applications\n       utilizing the Java programming language. An attacker could\n       exploit these vulnerabilities to send attack code to the user\xe2\x80\x99s\n       Web browser. This code can be used to retrieve information\n       stored in the browser, redirect the user to another Web site,\n       or issue additional Web page requests on the user\xe2\x80\x99s behalf.\n\nNIST\xe2\x80\x99s Recommended Security Controls for Federal Information\nSystems requires organizations to configure their information\nsystems to provide only essential capabilities and specifically\n\n\nImprovements Needed in CDFI Fund\xe2\x80\x99s Access Controls and\nConfiguration Management (OIG-10-037)                            Page 7\n\x0cprohibit or restrict the use of agency-defined functions, ports,\nprotocols, or services. In addition, NIST SP 800-123, Guide to\nGeneral Server Security, recommends SNMP be removed or\ndisabled if it is not required. NIST SP 800-44, Guidelines on\nSecuring Public Web Servers, recommends that system\nadministrators remove all example or test files from servers,\nincluding scripts and executable code.\n\nDefault settings on network services existed because\nadministrators did not harden the systems before placing them in\nthe production environment.\n\nAnonymous access to domain password information allows\nattackers connected to the CDFI Fund network without\nauthentication to design password attacks within the confines of\nthe policy. Customizing the password attack list significantly\ndecreases the number of passwords an attacker would have to\nguess. Unnecessary services can provide methods of attack that\nwould not be possible if the service was disabled. If SNMP\ncommunity names are not changed from the default, attackers can\nuse them to view and modify system configurations. Finally, the\npresence of known vulnerable sample applications on the Apache\nserver can allow attackers to steal login IDs and other information\nfrom legitimate users of the system.\n\nRecommendations\n\nWe recommend that the Director of the CDFI Fund do the\nfollowing:\n\n3. Implement Windows security settings that prevent\n   unauthenticated users from accessing domain policies.\n4. Scan all CDFI systems on a regular basis to determine if\n   unnecessary services are present and remove unnecessary\n   services.\n5. Change SNMP community names to comply with Treasury\n   password requirements or remove or disable unnecessary SNMP\n   services on network devices.\n6. Remove sample applications installed on the Apache Tomcat\n   server.\n\n\n\nImprovements Needed in CDFI Fund\xe2\x80\x99s Access Controls and\nConfiguration Management (OIG-10-037)                              Page 8\n\x0c            Management Response\n\n            The CDFI Fund has implemented windows security settings that\n            prevent unauthenticated users from accessing domain policies. The\n            CDFI Fund currently performs monthly Federal Information Security\n            Management Act compliant and Federal Desktop Core\n            Configuration vulnerability scans and all unneeded services have\n            been removed from all the CDFI Fund's servers. Additionally, CDFI\n            Fund has changed all SNMP read/write community strings to\n            passwords that meet/exceed Treasury requirements. Finally, the\n            CDFI Fund removed the Documentum services from the enterprise\n            in November of 2009. The Documentum application/service\n            contained two Tomcat vulnerabilities that were identified in the\n            OIG's audit.\n\n            OIG Comment\n\n            Management\xe2\x80\x99s reported corrective actions are responsive to the\n            intent of our recommendations.\n\nFinding 3   A Critical Patch Was Not Applied for One\n            CDFI Fund System\n\n            Although most CDFI Fund systems had current critical security\n            patches installed, we identified one system missing a critical patch\n            which allowed remote exploitation. We succeeded in exploiting this\n            vulnerability during our test and gained system-level access, which\n            allows full control of a system. While system level access did give\n            us full control of the specific system that lacked the critical patch,\n            that system had no access privileges to other CDFI Fund systems.\n            As a result, we were unable to directly access CDFI Fund network\n            servers based on the access level gained on this system. However,\n            an attacker could use this level of access to reconfigure or disable\n            the system, store and transmit information, or serve malicious\n            content to CDFI Fund users from within the network. The system\n            that lacked the patch is used specifically to control a printer and is\n            not a critical system.\n\n\n\n            Improvements Needed in CDFI Fund\xe2\x80\x99s Access Controls and\n            Configuration Management (OIG-10-037)                            Page 9\n\x0cTreasury Directive Publication 85-01, Treasury Information\nTechnology Security Program, requires bureaus to ensure that\nsecurity patches are tested and installed on a timeline in\naccordance with the criticality of the patches.\n\nAccording to the CDFI Fund system administrator, the system had\nnot been patched because it was part of a printer.\n\nWithout the critical patch, the printer was vulnerable to attack. An\nattacker could view any documents sent to the printer, modify\nprinter settings, and use the compromised printer to attack other\nCDFI Fund systems.\n\nRecommendation\n\nWe recommend that the Director of the CDFI Fund do the\nfollowing:\n\n7. Apply critical security patches on the identified system, disable\n   the identified system, or provide another compensating\n   control(s) if patches are not available.\n\n\nManagement Response\n\nThe actual system identified in the OIG's findings was a printer\nwhich was disabled and removed from the network in January of\n2010. The CDFI Fund has also removed similar systems from the\nnetwork to mitigate any future risk.\n\nOIG Comment\n\nManagement\xe2\x80\x99s reported corrective action is responsive to the intent\nof our recommendation.\n\n\n\n\nImprovements Needed in CDFI Fund\xe2\x80\x99s Access Controls and\nConfiguration Management (OIG-10-037)                          Page 10\n\x0c                                ******\n\nI would like to extend my appreciation to the Director of the CDFI\nFund and to CDFI Fund staff for the cooperation and courtesies\nextended to my staff during the audit. If you have any questions,\nplease contact me at (202) 927-5171 or Susan Miller, Audit\nManager, at (202) 927-5746. Major contributors to this report are\nlisted in appendix 3.\n\n/s/\n\n\nTram Jacquelyn Dang\nAudit Director\n\n\n\n\nImprovements Needed in CDFI Fund\xe2\x80\x99s Access Controls and\nConfiguration Management (OIG-10-037)                        Page 11\n\x0cAppendix 1\nObjective, Scope, and Methodology\n\n\n\n\nThe purpose of this audit was to assess the security of the\nCommunity Development Financial Institutions (CDFI) Fund\xe2\x80\x99s\nnetwork and systems. Our overall objective was to determine if the\nCDFI Fund had sufficient protections in place to prevent intrusions\ninto its network and systems.\n\nTo accomplish our objective, we performed a series of vulnerability\nassessments and penetration tests of the CDFI Fund\xe2\x80\x99s network and\nsystems. Penetration testing was performed external to the CDFI\nFund\xe2\x80\x99s network using only information available to the general\npublic. Vulnerability assessments inside the CDFI Fund\xe2\x80\x99s network\nwere performed from an administrative perspective with full\nknowledge and system access. We performed a series of social\nengineering tests to determine whether CDFI Fund users were\naware of cybersecurity threats and users\xe2\x80\x99 role in protecting agency\ninformation technology resources. The results of this audit may be\nused to support our work undertaken in accordance with the\nrequirements of the Federal Information Security Management Act.\n\nWe performed our fieldwork at CDFI Fund facilities in Washington,\nDC, from February through April 2009. The audit was performed in\naccordance with generally accepted government auditing\nstandards. Those standards require that we plan and perform the\naudit to obtain sufficient, appropriate evidence to provide a\nreasonable basis for our findings and conclusions based on our\naudit objectives. We believe that the evidence obtained provides a\nreasonable basis for our findings and conclusions based on our\naudit objectives.\n\n\n\n\nImprovements Needed in CDFI Fund\xe2\x80\x99s Access Controls and\nConfiguration Management (OIG-10-037)                        Page 12\n\x0cAppendix 2\nManagement Response\n\n\n\n\nImprovements Needed in CDFI Fund\xe2\x80\x99s Access Controls and\nConfiguration Management (OIG-10-037)                    Page 13\n\x0cAppendix 2\nManagement Response\n\n\n\n\nImprovements Needed in CDFI Fund\xe2\x80\x99s Access Controls and\nConfiguration Management (OIG-10-037)                    Page 14\n\x0cAppendix 2\nManagement Response\n\n\n\n\nImprovements Needed in CDFI Fund\xe2\x80\x99s Access Controls and\nConfiguration Management (OIG-10-037)                    Page 15\n\x0cAppendix 2\nManagement Response\n\n\n\n\nImprovements Needed in CDFI Fund\xe2\x80\x99s Access Controls and\nConfiguration Management (OIG-10-037)                    Page 16\n\x0cAppendix 2\nManagement Response\n\n\n\n\nImprovements Needed in CDFI Fund\xe2\x80\x99s Access Controls and\nConfiguration Management (OIG-10-037)                    Page 17\n\x0cAppendix 2\nManagement Response\n\n\n\n\nImprovements Needed in CDFI Fund\xe2\x80\x99s Access Controls and\nConfiguration Management (OIG-10-037)                    Page 18\n\x0cAppendix 2\nManagement Response\n\n\n\n\nImprovements Needed in CDFI Fund\xe2\x80\x99s Access Controls and\nConfiguration Management (OIG-10-037)                    Page 19\n\x0cAppendix 2\nManagement Response\n\n\n\n\nImprovements Needed in CDFI Fund\xe2\x80\x99s Access Controls and\nConfiguration Management (OIG-10-037)                    Page 20\n\x0cAppendix 2\nManagement Response\n\n\n\n\nImprovements Needed in CDFI Fund\xe2\x80\x99s Access Controls and\nConfiguration Management (OIG-10-037)                    Page 21\n\x0cAppendix 3\nMajor Contributors To This Report\n\n\n\n\n   Office of IT Audits\n\n   Tram J. Dang, Director\n   Susan Miller, IT Audit Manager\n   Gerald J. Steere, IT Specialist (Lead)\n   Abdil Salah, IT Specialist\n   Jane E. Lee, IT Specialist\n   Larissa Klimpel, IT Specialist\n   Timothy Cargill, Referencer\n\n\n\n\nImprovements Needed in CDFI Fund\xe2\x80\x99s Access Controls and\nConfiguration Management (OIG-10-037)                    Page 22\n\x0cAppendix 4\nReport Distribution\n\n\n\n\nCommunity Development Financial Institutions Fund\n\n   Director\n\nDepartment of the Treasury\n\n   Office of Accounting and Internal Control\n   Office of Strategic Planning and Performance Management\n   Office of the Chief Information Officer\n\n\nOffice of Management and Budget\n\n   Office of Inspector General Budget Examiner\n\n\n\n\nImprovements Needed in CDFI Fund\xe2\x80\x99s Access Controls and\nConfiguration Management (OIG-10-037)                    Page 23\n\x0c"